Gmail’s end-to-end encryption makes its way to mobile, one year after being introduced on the web.

      In summary: Google has introduced end-to-end encryption in Gmail for both Android and iOS, bridging the mobile gap that existed after the feature was launched on the web in April 2025. Google Workspace Enterprise Plus users with the Assured Controls add-on can now directly compose and read encrypted messages in the Gmail app without needing additional software. External recipients not using the Gmail app can read and respond through a secure web portal in any browser. The rollout is currently active for both Rapid Release and Scheduled Release domains.

      The gap in mobile enterprise end-to-end email

      For a year, Gmail's end-to-end encryption was available exclusively on the desktop web, leaving many enterprise decision-makers without access. Google first introduced client-side encryption for Gmail on April 1, 2025, coinciding with the service’s 21st anniversary. This allowed Enterprise Plus customers to send encrypted messages that even Google cannot access, as the encryption and decryption processes occur on the user’s device instead of Google’s servers. In October 2025, Google expanded this feature to include external recipients, enabling encrypted Gmail messages sent to non-Gmail addresses to reach recipients via a secure web portal instead of being undeliverable or unencrypted. However, throughout these developments, the Gmail mobile app for Android and iOS lacked a similar capability. Users attempting to send or read encrypted messages on their phones had no built-in option until the April 2026 update, which now allows composing and reading encrypted messages directly within the app on both platforms. This update treats mobile users as active participants in encrypted communications rather than mere observers needing to log in from a desktop. The importance of closing this gap has heightened, especially after Anthropic unveiled a research model that could exploit zero-day vulnerabilities and autonomously confirm its breach to researchers, underscoring that email continues to be a highly vulnerable channel in enterprise security while the evolving threat landscape outpaces many organizations' defenses.

      How the encryption operates

      The underlying technology is client-side encryption, which Google has been integrating into Workspace for several years across services like Drive, Docs, Sheets, Meet, and now Gmail. The central concept is key custody: rather than relying on encryption managed by Google, an organization's IT administrator sets up Gmail to utilize encryption keys stored outside of Google's infrastructure, typically through a third-party key management service. When a user opts to send a message with encryption enabled by tapping the lock icon in the compose window and selecting additional encryption, the device encrypts the message and its attachments before transmission. Google’s servers only receive encrypted data. On the recipient's side, the experience varies based on their email client. If the recipient uses the Gmail app with encryption enabled, the message appears as a normal email thread, with decryption occurring seamlessly. However, if the recipient employs a different email platform, Gmail provides a link to a secure, web-based version of Gmail, allowing them to read and reply without needing a Gmail account. It is important to note that the attachment size limit under client-side encryption is reduced to 5MB, compared to the standard 25MB in Gmail, which administrators should inform users about prior to rollout. Administrators must explicitly enable client-side encryption for Android and iOS in the Workspace admin console for users to access the feature on mobile.

      Target market: regulated industries

      Availability criteria clearly define the target audience for this feature. It is restricted to Google Workspace Enterprise Plus accounts that include either the Assured Controls or Assured Controls Plus add-on. Assured Controls is a compliance-driven product tier developed for organizations operating under regulations that mandate data localization, export controls, or limit Google employees' access to their data. This primarily encompasses US federal contractors, financial services firms, healthcare organizations, and multinational enterprises that have data sovereignty responsibilities across regions. For these clients, being able to send encrypted emails from mobile devices is not just an added convenience but a necessity for compliance, as regulated communications must continue even when executives are away from their offices. Microsoft remains Google's chief competitor in the enterprise productivity suite market with its Microsoft 365 suite, which includes its own email encryption and serves over 80,000 enterprises, including 80% of Fortune 500 companies. The mobile encryption gap had provided Microsoft a competitive edge in discussions regarding security, especially in industries where mobile device management and encrypted communications are critically assessed. With Google's April 2026 update, this gap is now closed.

      A year of steady development and future outlook

      The rollout of Gmail's encryption has followed Google's typical approach to deploying enterprise features: gradual, careful, and structured by capability tier. The web launch in April 2025 allowed IT administrators the opportunity to assess the feature in a controlled setting. The October 2025 expansion to external recipients made the feature practically useful, as encryption limited to a single organization is of little value when communicating with clients, regulators, or partners. The April 2026 mobile release enhances its practicality in the workflows of regulated-industry employees. The enterprise technology environment into which this